Security policy

ArcVelvet welcomes security research and responsible disclosure. We treat security feedback as a contribution to the platform on the same footing as code contributions, and we commit to the policy below.

Reporting

Email arcvelvet@arcvelvet.com with "Security" in the subject line. Include enough detail for us to reproduce the issue: affected URL or surface, reproduction steps, expected versus observed behaviour, your environment, and (if relevant) proof-of-concept output. For sensitive disclosures, the same address accepts PGP-encrypted mail if you prefer; ask for a key in plaintext first.

We aim to acknowledge reports within 48 hours and provide a substantive response within 7 days. For critical issues that put user data or financial integrity at risk, we treat the response window as on-call hours, not business hours.

In scope

• The live production platform at arcvelvet.com and its subdomains.
• The Cloud Functions exposed by the platform (the https://us-central1-arcvelvetos.cloudfunctions.net/* endpoints and any custom-domain callable surfaces).
• The Firebase Hosting configuration, Firestore security rules, and Cloud Storage rules that gate access to user data and platform resources.
• The C2PA signing infrastructure and verifier endpoints, including /.well-known/c2pa-certs, /.well-known/c2pa-jwks, and the manifest validation pipeline.
• Authentication and account-recovery flows.

Out of scope

• Third-party services the platform depends on (Stripe, PostHog, Firebase, Google Cloud, SendGrid). Report vulnerabilities in those services to the respective vendor.
• Denial-of-service testing against production. If you suspect a DoS vector, describe it without exercising it and we will reproduce in a controlled environment.
• Social-engineering attacks against ArcVelvet employees or contractors.
• Physical attacks against ArcVelvet property or personnel.
• Reports generated by automated scanners without a meaningful proof-of-concept attached.

Safe harbor

We commit to not pursuing legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, data destruction, or service interruption.
• Use the contact address above to report findings before public disclosure.
• Give us a reasonable window (we suggest 90 days, but we are flexible if a fix is in flight) to remediate before publishing.
• Do not extract, store, or share user data beyond what is necessary to demonstrate the vulnerability.

We will not file civil or criminal complaints under computer-misuse statutes against researchers operating in good faith under this policy. If a third party brings action against you for security research performed under this policy in good faith, we will publicly support your defense to the extent permitted by law.

Rewards

We do not run a formal bug bounty at this stage. We commit to crediting researchers in any public disclosure (release notes, security advisory, or post-mortem) unless you ask to remain anonymous. When the platform reaches a scale where a bounty makes sense, this policy will be updated and the credit history will be honored.

Coordinated disclosure

For vulnerabilities that affect third-party services or the C2PA substrate (cert validation, JUMBF/COSE parsing, etc.), we will coordinate disclosure with the upstream maintainers and credit you in that coordination. The 48-hour acknowledgement and 7-day substantive response targets still apply on our side.